Created attachment 107990 [details] abort-pdfs.zip OS: Fedora 20 (running in virtualbox) Dependencies installed with: yum-builddep poppler Version: GIT Master Command line: master/pdftocairo -svg <attached.pdf> /dev/null Multiple PDFs that cause abort. ########################################################################### GDB output: Reading symbols from /home/foobar/poppler/utils/.libs/lt-pdftocairo...done. Starting program: /home/foobar/poppler/utils/.libs/lt-pdftocairo -svg abort-_cairo_scaled_glyph_page_destroy-311-pdftocairofuzz-9.pdf /dev/null [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Syntax Error (1936): Dictionary key must be a name object Syntax Error (1938): Dictionary key must be a name object Syntax Error: Missing or invalid CharProcs dictionary in Type 3 font lt-pdftocairo: cairo-scaled-font.c:459: _cairo_scaled_glyph_page_destroy: Assertion `!scaled_font->cache_frozen' failed. Program received signal SIGABRT, Aborted. 0x00007ffff55ff877 in raise () from /lib64/libc.so.6
The pdf uses Type 3 fonts which are rendered using user fonts. The bug is triggered by the user font render function in poppler returning CAIRO_STATUS_USER_FONT_ERROR. This causes _cairo_scaled_glyph_lookup() (which has an assert (scaled_font->cache_frozen)) to call _cairo_scaled_font_free_last_glyph() which calls _cairo_scaled_glyph_page_destroy() which contains a assert(!scaled_font->cache_frozen) I'm not sure what the correct fix is.
Created attachment 108188 [details] 311-unfuzzed.pdf Attached unfuzzed file as per request.
*** Bug 92517 has been marked as a duplicate of this bug. ***
Created attachment 120654 [details] user-font-abort.c If it helps, the attached C program reproduces this abort.
Created attachment 128058 [details] fuzzed-testcase This testcase triggers the assertion error. To run: pdftocairo pdf2svg-2016-05-14T22-58-38.312292.pdf -svg o.svg
This bug is present in the latest version of cairo (1.15.2). This is a stack trace: """ #0 0xb7fdcd40 in __kernel_vsyscall () #1 0xb786a367 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #2 0xb786ba23 in __GI_abort () at abort.c:89 #3 0xb78636c7 in __assert_fail_base ( fmt=0xb799fd14 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0xb7c20f34 "!scaled_font->cache_frozen", file=file@entry=0xb7c20f16 "cairo-scaled-font.c", line=line@entry=459, function=function@entry=0xb7c213a0 <__PRETTY_FUNCTION__.10693> "_cairo_scaled_glyph_page_destroy") at assert.c:92 #4 0xb7863777 in __GI___assert_fail (assertion=0xb7c20f34 "!scaled_font->cache_frozen", file=0xb7c20f16 "cairo-scaled-font.c", line=459, function=0xb7c213a0 <__PRETTY_FUNCTION__.10693> "_cairo_scaled_glyph_page_destroy") at assert.c:101 #5 0xb7bc2b3f in _cairo_scaled_glyph_page_destroy (scaled_font=0x80a4190, page=0x80a4ee8) at cairo-scaled-font.c:459 #6 0xb7bc2cf3 in _cairo_scaled_font_free_last_glyph (scaled_font=0x80a4190, scaled_glyph=0x0) at cairo-scaled-font.c:2912 #7 0xb7bc5192 in _cairo_scaled_glyph_lookup (scaled_font=0x80a4190, index=0, info=CAIRO_SCALED_GLYPH_INFO_METRICS, scaled_glyph_ret=0xbfffd39c) at cairo-scaled-font.c:2993 #8 0xb7bc6295 in _cairo_scaled_font_single_glyph_device_extents (extents=0xbfffd598, glyph=0xbfffdca8, scaled_font=0x80a4190) at cairo-scaled-font.c:2167 #9 _cairo_scaled_font_glyph_device_extents (scaled_font=0x80a4190, glyphs=0xbfffdca8, num_glyphs=1, extents=0xbfffd598, overlap_out=0x0) at cairo-scaled-font.c:2219 #10 0xb7b7ced3 in _cairo_composite_rectangles_init_for_glyphs (extents=0xbfffd580, surface=0x0, op=3221214716, source=0xbfffd598, scaled_font=0x80a4190, glyphs=0xbfffdca8, num_glyphs=1, clip=0x8090588, overlap=0x0) at cairo-composite-rectangles.c:447 #11 0xb7bbbbb3 in _cairo_recording_surface_show_text_glyphs (abstract_surface=0x808fd30, op=CAIRO_OPERATOR_OVER, source=0xbfffd984, utf8=0x0, utf8_len=0, glyphs=0xbfffdca8, num_glyphs=1, clusters=0x0, num_clusters=0, cluster_flags=(unknown: 0), scaled_font=0x80a4190, clip=0x8090588) at cairo-recording-surface.c:1013 #12 0xb7bce178 in _cairo_surface_show_text_glyphs (surface=0x808fd30, op=CAIRO_OPERATOR_OVER, source=0xbfffd984, utf8=0x0, utf8_len=0, glyphs=0xbfffdca8, num_glyphs=1, clusters=0x0, num_clusters=0, cluster_flags=(unknown: 0), scaled_font=0x80a4190, clip=0x8090588) at cairo-surface.c:2617 #13 0xb7bce178 in _cairo_surface_show_text_glyphs (surface=0x808fc18, op=CAIRO_OPERATOR_OVER, source=0xbfffd984, utf8=0x0, utf8_len=0, glyphs=0xbfffdca8, num_glyphs=1, clusters=0x0, num_clusters=0, cluster_flags=(unknown: 0), scaled_font=0x80a4190, clip=0x8090588) at cairo-surface.c:2617 #14 0xb7b87ad1 in _cairo_gstate_show_text_glyphs (gstate=0x80a34b8, glyphs=0x8091120, num_glyphs=1, info=0x0) at cairo-gstate.c:2024 #15 0xb7b77e91 in cairo_show_glyphs (cr=0x808fea8, glyphs=0x8091120, num_glyphs=1) at cairo.c:3319 #16 0x080527fa in CairoOutputDev::endString (this=0x808e110, state=0x6) at CairoOutputDev.cc:1456 #17 0xb7e36811 in Gfx::doShowText (this=0x80903c8, s=0x80905c0) at Gfx.cc:4125 #18 0xb7e3713f in Gfx::opShowText (this=0x80903c8, args=0xbfffef44, numArgs=1) at Gfx.cc:3825 #19 0xb7e258c0 in Gfx::execOp (this=0x80903c8, cmd=0x0, args=0xbfffef44, numArgs=1) at Gfx.cc:904 #20 0xb7e2e94e in Gfx::go (this=0x80903c8, topLevel=true) at Gfx.cc:763 #21 0xb7e2eec7 in Gfx::display (this=0x80903c8, obj=0xbffff174, topLevel=true) at Gfx.cc:729 #22 0xb7e75c56 in Page::displaySlice (this=0x808edb0, out=0x808e110, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=false, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0 ---Type <return> to continue, or q <return> to quit--- annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:601 #23 0xb7e7dd88 in PDFDoc::displayPageSlice (this=0x808d4f8, out=0x808e110, page=1, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=false, printing=true, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:528 #24 0x0804eb93 in renderPage (output_h=<optimized out>, output_w=<optimized out>, page_h=<optimized out>, page_w=<optimized out>, pg=<optimized out>, cairoOut=<optimized out>, doc=<optimized out>) at pdftocairo.cc:673 #25 main (argc=3, argv=0xbffff414) at pdftocairo.cc:1197 (gdb) """
*** Bug 100724 has been marked as a duplicate of this bug. ***
Fixed with https://cgit.freedesktop.org/cairo/commit/?id=5fd0b8710f125bb33c55d75fcc8252996b403e2d Jason, would you like turn turn your test program into a cairo test case? Or would you like me to do it under the same license as the cairo test suite?
(In reply to Adrian Johnson from comment #8) > Jason, would you like turn turn your test program into a cairo test case? Or > would you like me to do it under the same license as the cairo test suite? That would entail adding a CAIRO_TEST() statement and adding it to the Makefile.sources? I'm not familiar with the cairo test suite so I think it's better if you do it. The cairo test suite license is fine.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.